[pull] master from apache:master

.github/workflows/bashlib.sh

@@ -59,6 +59,15 @@ build-assets() {
   say "::endgroup::"
 }
 
+build-embedded-sdk() {
+  cd "$GITHUB_WORKSPACE/superset-embedded-sdk"
+
+  say "::group::Build embedded SDK bundle for E2E tests"
+  npm ci
+  npm run build
+  say "::endgroup::"
+}
+
 build-instrumented-assets() {
   cd "$GITHUB_WORKSPACE/superset-frontend"
 
@@ -276,7 +285,12 @@ playwright-run() {
   cd "$GITHUB_WORKSPACE"
   local serverlog="${HOME}/superset-playwright.log"
   local port=8081
-  PLAYWRIGHT_BASE_URL="http://localhost:${port}"
+  # Use 127.0.0.1 explicitly: `flask run` binds IPv4 only, and Node's DNS
+  # resolution for `localhost` can return `::1` first (IPv6), which then
+  # refuses against the IPv4 listener and surfaces as
+  # `connect ECONNREFUSED ::1:<port>` in API helpers driven from Node
+  # (e.g., the embedded test app's exposed token fetcher).
+  PLAYWRIGHT_BASE_URL="http://127.0.0.1:${port}"
   if [ -n "$APP_ROOT" ]; then
     export SUPERSET_APP_ROOT=$APP_ROOT
     PLAYWRIGHT_BASE_URL=${PLAYWRIGHT_BASE_URL}${APP_ROOT}/

.github/workflows/superset-e2e.yml

@@ -240,6 +240,11 @@ jobs:
         uses: ./.github/actions/cached-dependencies
         with:
           run: build-instrumented-assets
+      - name: Build embedded SDK
+        if: steps.check.outputs.python || steps.check.outputs.frontend
+        uses: ./.github/actions/cached-dependencies
+        with:
+          run: build-embedded-sdk
       - name: Install Playwright
         if: steps.check.outputs.python || steps.check.outputs.frontend
         uses: ./.github/actions/cached-dependencies

.github/workflows/superset-playwright.yml

@@ -113,6 +113,11 @@ jobs:
         uses: ./.github/actions/cached-dependencies
         with:
           run: build-instrumented-assets
+      - name: Build embedded SDK
+        if: steps.check.outputs.python || steps.check.outputs.frontend
+        uses: ./.github/actions/cached-dependencies
+        with:
+          run: build-embedded-sdk
       - name: Install Playwright
         if: steps.check.outputs.python || steps.check.outputs.frontend
         uses: ./.github/actions/cached-dependencies
@@ -125,6 +130,21 @@ jobs:
           NODE_OPTIONS: "--max-old-space-size=4096"
         with:
           run: playwright-run "${{ matrix.app_root }}" experimental/
+      - name: Run Playwright (Embedded Tests)
+        if: steps.check.outputs.python || steps.check.outputs.frontend
+        uses: ./.github/actions/cached-dependencies
+        env:
+          NODE_OPTIONS: "--max-old-space-size=4096"
+          # Scope embedded-only env vars to this step. Setting them at the job
+          # level enabled the EMBEDDED_SUPERSET feature flag inside Flask for
+          # the preceding "Required Tests" and "Experimental Tests" steps too,
+          # which loads extra handlers and destabilizes the werkzeug dev
+          # server under the 2-worker Playwright load. Required Tests should
+          # match master's Flask configuration.
+          SUPERSET_FEATURE_EMBEDDED_SUPERSET: "true"
+          INCLUDE_EMBEDDED: "true"
+        with:
+          run: playwright-run "${{ matrix.app_root }}" embedded
       - name: Set safe app root
         if: failure()
         id: set-safe-app-root

UPDATING.md

@@ -24,6 +24,12 @@ assists people when migrating to a new version.
 
 ## Next
 
+### Dataset import validates catalog against the target connection
+
+Importing a dataset now validates the `catalog` field against the target database connection. When the connection has multi-catalog disabled (`allow_multi_catalog` off) and the dataset's catalog is not the connection's default catalog, the import fails instead of silently persisting the non-default catalog. This matches the validation already enforced on the dataset update path and prevents imported datasets from querying an unintended database.
+
+If you relied on importing datasets with a non-default catalog, enable "Allow changing catalogs" on the target connection, or set the dataset's catalog to the connection's default before importing.
+
 ### Granular Export Controls
 
 A new feature flag `GRANULAR_EXPORT_CONTROLS` introduces three fine-grained permissions that replace the legacy `can_csv` permission:

docker/pythonpath_dev/superset_config_docker_light.py

@@ -18,6 +18,8 @@
 # Configuration for docker-compose-light.yml - disables Redis and uses minimal services
 
 # Import all settings from the main config first
+import os
+
 from flask_caching.backends.filesystemcache import FileSystemCache
 
 from superset_config import *  # noqa: F403
@@ -36,3 +38,32 @@
 
 # Disable Celery entirely for lightweight mode
 CELERY_CONFIG = None  # type: ignore[assignment,misc]
+
+# Honor SUPERSET_FEATURE_<NAME> env vars on top of any flags inherited from
+# superset_config. Lets local dev/e2e enable features (e.g. EMBEDDED_SUPERSET)
+# without editing shipped config files. Only the literal string "true"
+# (case-insensitive) is treated as enabled — "1"/"yes"/"on" are not, matching
+# the strict-string convention used elsewhere in Superset's env parsing.
+FEATURE_FLAGS = {
+    **FEATURE_FLAGS,  # noqa: F405
+    **{
+        name[len("SUPERSET_FEATURE_") :]: value.strip().lower() == "true"
+        for name, value in os.environ.items()
+        if name.startswith("SUPERSET_FEATURE_")
+    },
+}
+
+if os.environ.get("SUPERSET_FEATURE_EMBEDDED_SUPERSET", "").strip().lower() == "true":
+    # Disable Talisman so /embedded/<uuid> doesn't return X-Frame-Options:SAMEORIGIN.
+    # Without this, browsers refuse to render Superset inside an iframe from a
+    # different origin (i.e. the embedded SDK use case). Production/CI configures
+    # Talisman with explicit `frame-ancestors`; for the lightweight local stack we
+    # just turn it off.
+    TALISMAN_ENABLED = False
+
+    # Guest tokens (used by the embedded SDK) inherit the "Public" role's perms.
+    # Out of the box Public has zero perms, so embedded dashboards immediately fail
+    # their first call (`/api/v1/me/roles/`) with 403. Mirror Public to Gamma —
+    # the standard read-only viewer role — so the embedded flow can authenticate
+    # and load dashboard data in local dev.
+    PUBLIC_ROLE_LIKE = "Gamma"

scripts/translations/backfill_po.py

@@ -69,6 +69,24 @@
 DEFAULT_MODEL = "claude-sonnet-4-6"
 DEFAULT_BATCH_SIZE = 50
 
+_ASF_LICENSE_HEADER = """\
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+"""
+
 # Language names for the prompt, keyed by ISO code
 LANGUAGE_NAMES: dict[str, str] = {
     "ar": "Arabic",
@@ -95,6 +113,19 @@
 }
 
 
+def _ensure_license_header(po_path: Path, *, dry_run: bool = False) -> None:
+    """Prepend the ASF license header to the .po file if it is missing."""
+    content = po_path.read_text(encoding="utf-8")
+    if "Licensed to the Apache Software Foundation" not in content:
+        if dry_run:
+            print(
+                f"[dry-run] Would add ASF license header to {po_path}", file=sys.stderr
+            )
+        else:
+            po_path.write_text(_ASF_LICENSE_HEADER + content, encoding="utf-8")
+            print(f"Added ASF license header to {po_path}", file=sys.stderr)
+
+
 def _lang_name(code: str) -> str:
     """Return a human-readable language name for an ISO language code."""
     return LANGUAGE_NAMES.get(code, code)
@@ -510,6 +541,8 @@ def backfill(
     with open(index_path, encoding="utf-8") as f:
         index: dict[str, Any] = json.load(f)
 
+    _ensure_license_header(po_path, dry_run=dry_run)
+
     print(f"Loading {po_path} …", file=sys.stderr)
     cat = polib.pofile(str(po_path))